Skip to content

fix: security_and_analysis.code_security bug#3527

Open
jtgorny wants to merge 2 commits into
integrations:mainfrom
jtgorny:jtgorny/code-security-bug
Open

fix: security_and_analysis.code_security bug#3527
jtgorny wants to merge 2 commits into
integrations:mainfrom
jtgorny:jtgorny/code-security-bug

Conversation

@jtgorny

@jtgorny jtgorny commented Jul 7, 2026

Copy link
Copy Markdown

Resolves #3501


Before the change?

  • The security_and_analysis.code_security attribute was defined in the schema but never wired into the calculateSecurityAndAnalysis or flattenSecurityAndAnalysis functions. This meant that setting code_security had no effect on the API call, and the API response for code_security was never read back into state. This caused perpetual diffs.

After the change?

  • calculateSecurityAndAnalysis now includes code_security when building the SecurityAndAnalysis request
  • flattenSecurityAndAnalysis now reads CodeSecurity from the API response and writes it back into Terraform state.
  • Added unit tests coverage

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

  • Yes
  • No

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

👋 Hi, and thank you for this contribution!

This repo is maintained by GitHub and community members on a best-effort basis. We'll get to this as soon as we can.

You can help us prioritize by joining the discussion on open issues and PRs, sharing details on the changes you need, and reviewing other contributions.


🤖 This is an automated message.

@deiga deiga left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review.

Please add an acceptance testcase as well

Comment thread github/resource_github_repository_test.go Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes issue #3501, where the security_and_analysis.code_security block was declared in the github_repository schema but never wired into the read or write paths. As a result, code_security was never sent to the GitHub API on create/update and never read back into state, producing a permanent plan diff that never converged. The fix mirrors the existing handling for advanced_security.

Changes:

  • calculateSecurityAndAnalysis now maps code_security into the SecurityAndAnalysis request (write path).
  • flattenSecurityAndAnalysis now reads CodeSecurity from the API response into Terraform state when present (read path), consistent with the conditional advanced_security handling.
  • Adds three unit tests covering the write path, the read/flatten path, and a config round-trip.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
github/resource_github_repository.go Wires code_security into both the write (calculateSecurityAndAnalysis) and read (flattenSecurityAndAnalysis) paths, resolving the perpetual diff.
github/resource_github_repository_test.go Adds unit tests for the calculate, flatten, and round-trip behavior of code_security.

Verification notes: Confirmed against google/go-github v88.0.0 that SecurityAndAnalysis includes a CodeSecurity *CodeSecurity field and that CodeSecurity exposes Status *string, so GetCodeSecurity()/GetStatus() and the write assignment compile. Docs (docs/resources/repository.md) already document code_security.

Residual risk (non-blocking, pre-existing, outside this diff): Two sibling attributes declared in the same schema block — secret_scanning_ai_detection and secret_scanning_non_provider_patterns — remain unwired in both calculateSecurityAndAnalysis and flattenSecurityAndAnalysis, so they retain the same class of perpetual-diff bug this PR fixes for code_security. These are outside the scope of issue #3501 and the changed regions, so no inline comment is attached, but they may warrant a follow-up.

@stevehipwell

Copy link
Copy Markdown
Collaborator

@deiga is this one of the parts of the repository resource that we planned to deprecate and replace with separate resources or data sources?

@deiga

deiga commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@stevehipwell yep, though I haven't done a thorough analysis of feasibility yet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG]: security_and_analysis.code_security causes a permanent diff (never read back / never written)

4 participants